I have setup restic to my Backblaze account and all seems to be working as it should, but I’m wondering what would be the most secure way to save my Backblaze account information and encryption password?
Currently, I have everything exported from my .bash_profile, but I’m concerned this isn’t the most secure way to do it.
You don’t mention the environment in which you’re working, or what you’ve done to protect your .bash_profile from access by others, so what you’re doing may be adequate, but you’re right…exporting variables from a profile and leaving them exposed in your environment indefinitely is certainly not the most secure way to do it.
With the caveat that I’m not a Linux security expert, I can tell you what I’ve done. That is to set up a directory (…/restic/credentials/) which is owned by root and accessible only to root. I have files with my account credentials and repo credentials in that directory, with similar access restrictions. I then start restic via a short script, run as root, which parses my credentials files, exports the necessary variables, and builds and executes the restic command line. The theory is that only someone with superuser privileges can look at my credentials files directly or snoop on the environment of my backup process.
I’m sure that’s not the “most secure” way to do it–and no doubt other members of the forum can suggest more secure alternatives –but in my environment (a small server with a small number of trusted but non-privileged users) I think it’s sufficient.
I’ve done nothing to the .bash_profile to prevent others from accessing it, but I’m generally the only one using the computer since it’s my personal home computer.
I see that there is the “password-file” option in restic. Is that only used for the encryption password, or can it also be used for account credentials?
This might be a bit over-engineered with the 7-zip file and ramfs. You could simply export the variables from a GPG-symetrically-encrypted script and embed that in the outer script:
The only problem in my case, is that it’s not generic enough. (But it does give me an idea for an improvement.)
My script is more generic, in that 1) it can take any archive as an argument, and 2) the password can be trivially changed, without modifying the calling script.
But by extending it with your “execute a script” idea (why didn’t I think of that), it can be even more generic; I can simplify and make more generic, the main generic script; and the archived script can set any variables and invoke an arbitrary command, restic or otherwise.
The ramfs setup and teardown are both one-liners, fairly trivial, won’t swap contents to disk, and I don’t have to worry about credential bits lingering on persistent storage.